NCHRP 20-59(51)A [Completed]
Security 101: A Physical & Cyber Security Primer for Transportation Agencies
| Project Data
||Countermeasures Assessment & Security Experts, LLC |
||Mr. Ernest R. 'Ron' Frazier|
In 2012, the AASHTO Special Committee on Transportation Security and Emergency Management (SCOTSEM) adopted TRB’s National Cooperative Highway Research Program (NCHRP) Report 525, Vol. 14: Security 101: A Physical Security Primer for Transportation Agencies (available at https://www.trb.org/Publications/Blurbs/162394.aspx). As stated in NCHRP Report 525, Vol. 14, Security 101 “provides transportation managers and employees with an introductory-level reference document to enhance their working knowledge of security concepts, guidelines, definitions, and standards. This is a document for use primarily by those who are neither security professionals nor well versed in security language. There are many types of security: personal, cyber, document, information, operations, personnel, infrastructure, etc. The document adopted in 2012 focuses on physical security, the part of security concerned with measures and concepts designed to (1) safeguard personnel; (2) prevent unauthorized access to equipment, installations, materiel, and documents; and (3) safeguard equipment, installations, materiel, and documents against espionage, sabotage, damage, and theft. “Physical security is integral to an all-hazards approach to preparedness. As such, the report adopted in 2012 covers the major components of an effective security program at the conceptual level, including risk management and risk assessment, plans and strategies, physical security countermeasures, security personnel and other personnel, infrastructure protection, and homeland security. The primer can be used as an introduction to the extensive literature and additional sources of information identified in the appendixes; however, readers are reminded that plans need to be tested through exercises to ensure adequacy and to reinforce roles and responsibilities.” Since publication of Security 101, there have been both significant changes and a substantial increase in knowledge about surface transportation security. The decade-long effort to improve the state of security and emergency management practice in the transportation industry has produced new strategies, programs, and ways of doing business that have increased the security of our transportation systems as well as ensured their resiliency. Research is needed to update Security 101 to reflect the changed circumstances and to include cyber-related information.
The objective of this research is to develop a recommended second edition of Security 101 for use by transportation personnel without a security background whose work requires them to address, perform, or supervise security or infrastructure protection activities as a part of their overall job responsibilities. The updated Security 101 should be suitable for adoption by the AASHTO Special Committee on Transportation Security and Emergency Management (SCOTSEM). The updated Security 101 should reference the latest practice and guidance in infrastructure protection encompassing cyber and physical security. This update would include guidance from USDOT, FHWA, AASHTO, APTA, FTA, FEMA, TSA, DHS, National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), and TRB. The work will update fundamental definitions for: (1) surface transportation physical and cyber security; (2) all-hazards planning; and (3) resilience of transportation operations in the post 9-11 environment. Emphasis will be placed upon expanding the Security 101 products to capture the current practice and guidance in relation to recently developed:
- risk management and assessment processes
- standards, guidance, and tools
- technologies for transportation infrastructure protection
- staffing models and deployment methods
- design build and structural improvement criteria
- all-hazards resource acquisition, budgeting, and allocation
- security and emergency management implementation methods and procedures
- legal issues associated with security management
- employee training requirements
Accomplishment of the project objective will require at least the following tasks.
(1). Meet with the project panel to discuss and finalize the working plan. (2). Review pertinent domestic and international research, on the basis of applicability, conclusiveness of findings, and usefulness for the analytical needs of physical and cyber security at transportation agencies. As a primer, the project should be of some utility to airports, rail, and ferries; however, the primary audiences are highway and transit. Other modes should be referenced and the relevant guidance for each mode should be referenced. Include completed research and research currently underway. (3). Review the current physical and cyber security practices of transportation agencies in meeting their responsibilities and assess the usefulness of available guidance. Describe the range of transportation agency implementation practices through illustrative case studies. (4). Develop a detailed outline of the updated Security 101 and a revised work plan for Phase II. Recommend research activities for Phase II to achieve the project objective. (5). Submit an interim report, within 6 months, to document the findings of Tasks 1 through 4 for review by the NCHRP.
(6). Carry out the approved Phase II work plan in accordance with panel direction at the interim meeting. (7). Prepare a stand-alone technical memorandum titled “Implementation of Research Findings and Products.” (8). Final deliverables should include the following: (1) the updated Security 101 for use by transportation personnel without a security background whose work requires them to address, perform, or supervise security or infrastructure protection activities as a part of their overall job responsibilities; (2) a final report summarizing the background research; (3) an updated interim meeting PowerPoint presentation suitable, upon revision, for posting on the project website; (4) a stand-alone 1-page executive summary in a suitable format of text and graphics aimed at senior decision makers; and (5) the Task 7 implementation technical memorandum.
STATUS: Complete. Follow-on work is under NCHRP Project 20-124.
Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.
Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing and can impact not only data, but the control systems—like tunnel-ventilation systems—operated by transportation agencies.>
The TRB National Cooperative Highway Research Program's NCHRP Research Report 930: Update of Security 101: A Physical and Cybersecurity Primer for Transportation Agencies provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.
The report is accompanied by a PowerPoint for the project and NCHRP Web-Only Document 266: Developing a Physical and Cyber Security Primer for Transportation Agencies.